BIND and GHOST: MySQL DLZ module possibly vulnerable
Chuck Aurora
chucka at isc.org
Wed Feb 11 22:18:51 UTC 2015
Hello BIND users,
When the "GHOST" vulnerability in GNU libc was disclosed, we received
many questions from customers and users about how BIND was affected.
Our official position is, as always, that operators should upgrade all
linked libraries to unaffected versions, regardless of whether BIND can
trigger the bug.
And while we found no reason for concern about the GHOST vulnerability
being exploitable in the main core of named, additional scrutiny of code
contributed to BIND (the "contrib" directory in the source tarballs)
shows that the MySQL DLZ module is potentially exploitable due to its
use of gethostbyname().
We therefore recommend that BIND operators who are using DLZ, if they
are using the contributed MySQL module, should take immediate action to
upgrade their glibc to fix the GHOST vulnerability.
--
Chuck Aurora : ISC Software Support : chucka at isc.org
Internet Systems Consortium, Inc.
More information about the bind-users
mailing list